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DDS&T #2378-70 
I Jaly 1970 


| MEMORANDUM FOR: Director of Security 


SUBJECT . : Comments on Proposed DCID entitled "Minimam _. 
sa Security Requirements for Multi-Level 
Operation of Resource Sharing Computer | 
ayoreme ina ener uibishecnhigde : 


Ms 


i, Tagree with the intent, the security concepts, and with . 
most of the proposed requirements of the proposed DCID, but Ido. eee ee 
not concur in the draft in ite present form. My main criticism ia = 9 9 ~ 00° ° 
in the wording of several sections--more specifically with three 
areas of definition which naed more careful and precise language 
before a neliey of such far-reaching eoeceqhences is promulgated: 


--The computer environment for which the policy is te apply 
ig not described Cansei teeny shecrgtiont the paper. 


~--The term "multi-level" is not used consistently. Indeed. 
the concept of security “levels” is not clear. 


--The words uaed in the draft to dascribe requirements 
relating to authorization to use these compete? ee 
are not apelied with: sufficient care, ~ 


¥ 


2. The specific comments below: deal cally with auch: 
questions of wording. The draft ie a good start; particularly note-. 
worthy igs the absence of technical jargon. I belHeve the necessary 
time should be taken to do a good editing job, regardless of deadlines 
previously established, 


a The paper fails to eer clearly between the . 
use of a computing system in which the user has remote 


Approved For Release sipaniladltia Bo basmobsusnvos00080072& 


Oe = ( | 
Approved For Release 2004/06/29": CIASREP84B00803R000200080072-6 


Yad od \eieada 


SUBJECT: Commenis on Proposed DCID 


~— 


wee. 


access and the operation of a closed-shop computing center 
in which the normal operating system being used allows for 
the running of more than one program concurrently. This 
problem is illustrated in the first definition on page 7: The 
terms “multiprogrammed" and "multiprocessing" are used; 
thease terms do not necessarily imply “remotely accessed", 
Again on page 14 the term "remote batch mode" is used and 
specific requirements are stated for this method of operation, 
as distinguished from the interactive terminal mode. The — 
reasons for this distinction are sot given; indeed the defini- — 
tion of remote batch mode !3 not given anywhere in the paper. 
It is imperative that the environment for which the policy is 
to apply be more precisely defined before OCS attempts to 
judge the practicality of some of the requirements. For 
example, our ability to meet the user identification/authenti- 
cation requirements (para. 6 (b}, page 14) depends on 
whether the environment is defined to include multi-program- 
ring. 


b. At some points in the paper there ia an attempt to 
distinguish between “multi-level” and ‘compartmented" 
information, At other points the distinction between theses 
two terms ia not mads, The wording used at the beginning 
of paragraph 6 (page 13) is an illustration of the confusion 
which results from an attempt to distinguish between “levels” 
and “compartmentation”. lf interpreted literally, the 
requirements of this paragraph would not apply fo compart- 
mented data at the same security level. 1. Another example of 
the confusion is in paragraph 3 (Physical Security Protection) 
on page 12. It is stated that “the computer center area 
requirements shall be based on the highest lavel of the total 
system; ramote terminal area requirementa depend an the 
highast level of information designated for input/output at 
each terminal." Sut caragraph 3, paga 7, says a beniga 
environment is one with protection and control at the top 
secret level, If the “higheat leval’ of data is below top 
secret, which of the two atatements applies? The same 
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quastion could be asked scuseesine the idonisewaat for 
_ protection of communication links at the top secret level | 
(page 12) if the data to be transmitted is below that level. 
The use of the term “multi-security level on page 2 ~ 
confuses the matter further. The need for two different 
terms--" multi-level” and “compartmented''«-is queation- ~- 
. able... The important point is to provide for adequate neeeee: 
<i. Hom of information within a system, when creators or users. 
-of duch information feel that such separation is necessary. 
&.! Perhaps the tern. Ycompartmentation" or eee eee ee 
| information” te adequate in all the ee Logical in 
the paper in. ter of eater t 
Ge The following terms are ured he the paper to dinate Pee 
the concept of authorization to acces@ the compater aystem: =<. 
access authorization (page 11}, authentication (page 11), 
accese control passwords (page 11}, access approvale 
(page It}, designated personnel (page 12), user identifica- 
tion/authentication (page 14), authorization codes (page 14), 
authorized requastor (pags 14), accese control (page 15}. 
passwords (page 15}, user access list (page 15),access © 
limitations (page 16}, user authorization (page 16). In some: 
_ gases these words are used as synonyms, in other cases: 


One® Can infer that there is * distinction petess these words. 2 : ois : a 


- a. The paper is addressed to pthe: benign. pavivondaat, < 
‘but in some places the paper implies the need for eaniniaie: es 
‘against "deliberate wuauthorized intrusion (page 6} and wily 
"unauthorized probes (page 14). ‘The connotation of "benign" oe 
cas be misleading: perbaye aw better choice ia ae ached ae 


3. The most cracial vast of the prapased DCID ia Save veoh ra 
beginning on page 13. Specific comments are made below on each of 
reguired features (as scpaticles by Sub Parsgeaph): 


a. Aithough detail is given on the requireme ment to include 
security indicators, there {s no purpose era for this 


ea es Pee 
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b. The wording used in the initial sentenca of this 
paragraph ia much too confusing; It needs to be simplified. 
The special requirements noted for "remote batch mode" 
shonld be stated differently ao they will apply for all remote 
usera. Thatis, if there are procedures which permit the 
user to leave the area while the computer is still working 
om hia task (regardless of the kind of terminal inycived), 
thexe also should be a procedure te insure that the computer 
output is delivered only to him when he returns. Finally, 
the requirement to identify a specific user with a specific | 
terminal will be unwieldy in CIA Headquarters since it is 
intended that terminal “service centera” be established for 
general use of anyone in the area. Also the practice of 
going to the nearest available terminal has already been 
well accepted and the security procedures now in aeree seam 
to provide adequate control, 


c. Thie requirement assumes that core is shared among 
several user programs. Under some operating systems this 
may not be the case. More importantly, CCS cannot mest 


thia requirement for most of its equip ment without special 
changes made by the manufacturers 


d.. The wording of this requirsment, as well as others 
to be met by hardware functions, tacitly assumes that 
verification of correct operation of these functions is not 


only possible but also practical. To the contrary, this is 


a substantial effort in its own right. This is true both of 
the initial verification that the features do in fact operate 

ag they are designed to operate and also for the continuing 
ingpection of these featuraa to determines that they have not 
been subverted or circumvented. Rather than usa the strict 
language proposed, it might be better to state these as 
explicit design goals and add a general statement elsewhere 
on the hardwave/aoftware raliability problem, 


@3 - ar 
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e. The wording used here needs to be drastically 
revised: what does the term “independent hardware” 
mean? How is "disposable residue” distinguished from 
“andisposable residue’? What is meant by the term 
“auxiliary memory?” 


«of, The word “software” on the second line should be 
_ deleted. The use of the term "selected™ implics that some 
les can be used without any "access control". Is this 
correct? OCS cannot adequately meet the requirement 
for controlling read/write authority with its present solt-. _ 
ware nor with any other known software suitable for its 
environment, : 
g. Te obtain a “eomplete sting of personnel attempting 
to gain access" would require the cooperation of hoatiles. 


The last sentence of this sub-paragraph might better be 
snctuded under the security officer duties on page Il. 


h. The ‘direct control" to be exercisdd by the system 

security officer in mnedifying software security features ia 
-{mpeasible te guarantee; no one can make the claim that az. 

operating system can be rendered completely invulnerable 

to attempts to modify it by user programs. The iatent of 

this paragraph should be retained, but it should be reworded. 

to take inte account the current state-of-the-azt in operating: — 

syatema. ; 


4, The proposed masimom delay in effecting this policy — 
{1 Janaary 1971) is impractical for OCS and perhaps other centers 
in CLA 28 well. While most of the requirements of this proposed 
directive have been or can be met, there neads to be sufficient time 
for training security personnel, computer users, and system 
designers, and te insure that all provisions of this directive are 
being applied in fact as well as in spirtt. 

io 


CARL E, DUCKETT 
Deputy Director 
for 
Science and Tachnology 
ce: C/IP Board 
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9 July 1970 
TRAINING 


Because the numbers of ADEPT students destined to become 
full-time sxsxkem gp computer programmers had been lessening 
with each running of the course, it was decided to re¥iew 
the ¥8m goals and selection criteria for enrolling students 
in the 15-week OCS course in basic programming (ADEPT). 


It was decided to initiate a more modest 5-week course 
"Introduction to Computer Programming" beginning 9 Nov 1970 
to be slanted toward those who needed in depth knowledge 

in programming but wonétgdcroxc were not beming groomed 

for full-time programmer jobs. The IBC's of all directorates 
were advised to screen applicants for both courses by 
administering the Brandon-Wolfe Test (Aptitude Assessment 
Battery: Programming) and the IBM Programmer's Aptitude 
Test (PAT) to help determine the individual's potential 
and performance and use results of these tests in making 
selections for the two courses; and also that attendance 

at the 15-week ADEPT course be limited to those expected 

to fill positions as full-time computer programmers, 
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10 July 1970 
Response to a customer questionnaire relating to their 
usage of remote terminals in the interactive computer 
system brought out the following information: 


Uses being made of the system: 


Programming tasks 47 customers 
Information retrieval 38 7 
Calculations 30 : 


Customers were asked, in view of the cost of the 360/67 
STAT ofl CCOCSCSC“‘Cd#Uwhetherr 
their experience so far had been satisfactory or not. 
Replies were as follows: 
7 Has not paid off and intend to stop terminal use 
zw 10 Has not paid off but have no alternative but 
to continue using it 
47 22 Has not paid off yet but expect it will 
+7 48 Has paid off but needs improvement 
ret 24(jHas paid off and basically satisfied with system 
Note, 75% indicated the system was paying off for them. 


One of the principal complaints was need for better, or 


more consistent,response time, in order to increase the 
payoff of the interactive services. 


A good deal of information was received from the customer 
rq@lies which was helpful in planning for the future. 


Approved For Release 2004/06/29 : CIA-RDP85B00803R000200080072-6 


dissemination of all classified information 


make them responsible for the control and 
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COINS 5 August 1970 


Current participation in COINS limited to 3 hrs a da 

on the IBM 360/67. This costs about STAT 
besides which the system is lost to those Agency ; 
components which had begun to depend on it for on-line 

program development, file handling and computational 


Support. 

STAT Leora ta 7) recommended the Agency acquire a separate 
computer to be devoted to COINS and other external access 
applications full time. He assumed the Director of Security 


would continue to dank advise against storing Agency-sensitive 
data in a computer which has a possible data path to an 
uncontrolldd terminal. It appeared that two distinct physical 
Systems would be necessary, principally to avoid the risk of 
sensitive Agency data accidentally being disclosed outside 

the Agency. 


STAT ee | the CRS should operate the COINS computer, 
and should have the choice of selecting the type of computer 
and developing the software. 
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970, recommended placing the burden of 


security on the individual agency through procedures which would 
mn 1 


